Improper Input Validation (JNDI Injection) in JMSMessageConsumer
Description
Apache Flume 1.4.0 through 1.10.0 are vulnerable to RCE via a JNDI LDAP URI in JMS Source, fixed by restricting JNDI to the java protocol.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Flume 1.4.0 through 1.10.0 are vulnerable to RCE via a JNDI LDAP URI in JMS Source, fixed by restricting JNDI to the java protocol.
Apache Flume versions 1.4.0 through 1.10.0 contain a remote code execution (RCE) vulnerability in the JMS Source component. The root cause is insufficient validation of JNDI URIs in the JMSMessageConsumer class, which uses InitialContext.lookup() without restricting the protocol scheme. An attacker who controls a target LDAP server can provide a malicious reference that leads to arbitrary code execution when the Flume agent performs the lookup [1][2].
Exploitation requires the Flume configuration to use a JMS Source with a jndiProviderURL pointing to an LDAP server under the attacker's control. If an attacker can modify the configuration file or trick an administrator into using a malicious URI, they can achieve remote code execution without additional authentication [1]. The vulnerable code path is exercised each time the JMS source consumes messages.
A successful attack allows the adversary to execute arbitrary Java code in the context of the Flume agent, potentially exfiltrating sensitive data, disrupting log collection, or moving laterally within the network. The impact is critical, as Flume often operates in trusted environments with high privileges [1][2].
The fix, introduced in commit 7fe9af49, validates the JNDI URI scheme at lookup time, allowing only the java protocol or no protocol. Users should upgrade to Flume versions beyond 1.10.0 or apply the patch manually. As a workaround, ensure that JMS Source URIs are restricted to trusted LDAP servers that use only the java scheme [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.flume.flume-ng-sources:flume-jms-sourceMaven | >= 1.4.0, < 1.10.1 | 1.10.1 |
Affected products
2- Apache Software Foundation/Apache Flumev5Range: flume-jms-source
Patches
17fe9af49c485FLUME-3428 - Validate the parameter
3 files changed · +28 −1
flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java+15 −0 modified@@ -35,11 +35,14 @@ import javax.jms.Topic; import javax.naming.InitialContext; import javax.naming.NamingException; +import java.net.URI; +import java.net.URISyntaxException; import java.util.ArrayList; import java.util.List; class JMSMessageConsumer { private static final Logger logger = LoggerFactory.getLogger(JMSMessageConsumer.class); + private static final String JAVA_SCHEME = "java"; private final int batchSize; private final long pollTimeout; @@ -99,6 +102,14 @@ class JMSMessageConsumer { throw new IllegalStateException(String.valueOf(destinationType)); } } else { + try { + URI uri = new URI(destinationName); + String scheme = uri.getScheme(); + assertTrue(scheme == null || scheme.equals(JAVA_SCHEME), + "Unsupported JNDI URI: " + destinationName); + } catch (URISyntaxException ex) { + logger.warn("Invalid JNDI URI - {}", destinationName); + } destination = (Destination) initialContext.lookup(destinationName); } } catch (JMSException e) { @@ -209,4 +220,8 @@ void close() { logger.error("Could not destroy connection", e); } } + + private void assertTrue(boolean arg, String msg) { + Preconditions.checkArgument(arg, msg); + } }
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java+7 −1 modified@@ -129,11 +129,17 @@ void assertBodyIsExpected(List<Event> events) { } } - JMSMessageConsumer create() { + JMSMessageConsumer create(JMSDestinationType destinationType, + JMSDestinationLocator destinationLocator, String destinationName) { return new JMSMessageConsumer(WONT_USE, connectionFactory, destinationName, destinationLocator, destinationType, messageSelector, batchSize, pollTimeout, converter, userName, password, Optional.<String>absent(), false, ""); } + + JMSMessageConsumer create() { + return create(this.destinationType, this.destinationLocator, this.destinationName); + } + @After public void tearDown() throws Exception { beforeTearDown();
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java+6 −0 modified@@ -93,6 +93,12 @@ public void testCreateConsumerFails() throws Exception { verify(connection).close(); } } + + @Test(expected = IllegalArgumentException.class) + public void testInvalidDestination() throws Exception { + create(null, JMSDestinationLocator.JNDI, "ldap://localhost:389/test"); + } + @Test(expected = IllegalArgumentException.class) public void testInvalidBatchSizeZero() throws Exception { batchSize = 0;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h9mh-mgpv-gqmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34916ghsaADVISORY
- github.com/apache/flume/commit/7fe9af49c485756e1b618493a5bc00b70d7fbd2dghsaWEB
- issues.apache.org/jira/browse/FLUME-3428ghsax_refsource_MISCWEB
- lists.apache.org/thread/qkmt4r2t9tbrxrdbjg1m2oczbvczd9znghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.